CVE-2025-69420 in OpenSSL 3.0.18

[hegyre]

Describe the bug

Update OpenSSL to 3.0.19 to address CVE-2025-69420

Regression Issue

• Select this option if this issue appears to be a regression.

Expected Behavior

OpenSSL is updated to a version that does not contain the CVE

Current Behavior

AWS CLI contains a version of OpenSSL with the CVE

Reproduction Steps

N/A

Possible Solution

OpenSSL is updated to a version that does not contain the CVE

Additional Information/Context

N/A

CLI version used

2.34.6

Environment details (OS name and version, etc.)

Windows

[ashovlin]

We have confirmed that the AWS CLI is not affected by CVE-2025-69420 or the other CVEs listed in https://openssl-library.org/news/secadv/20260127.txt and customers do not need to take any action to mitigate them.

However, we understand that some security scanners may flag these due to the current dependency. We do intend to update to 3.0.19 once Python does upstream for the MacOS and Windows installers. We're watching python/cpython#144551 which has not been released yet.